diff options
author | Vincent Ambo <mail@tazj.in> | 2020-06-29T21·14+0100 |
---|---|---|
committer | tazjin <mail@tazj.in> | 2020-06-29T21·24+0000 |
commit | dc079778669968429b475c0e7ce020951fe769da (patch) | |
tree | 6d466032054137e474280d6de666a89ea3dae045 /ops | |
parent | d3f9cb0ec398d25a3be01cbc7c9b1ee8716b877f (diff) |
chore(ops): Clean up old GCP infrastructure files r/1130
This removes almost all of the GCP-infrastructure leftovers from my previous setup. The DNS configuration is retained, but moves to my user folder instead. Change-Id: I1867acd379443882f11a3c645846c9902eadd5b0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/782 Tested-by: BuildkiteCI Reviewed-by: eta <eta@theta.eu.org> Reviewed-by: isomer <isomer@tvl.fyi>
Diffstat (limited to 'ops')
28 files changed, 0 insertions, 687 deletions
diff --git a/ops/infra/.skip-subtree b/ops/infra/.skip-subtree deleted file mode 100644 index cee24b75793c..000000000000 --- a/ops/infra/.skip-subtree +++ /dev/null @@ -1,2 +0,0 @@ -Code under //ops/infra is mostly configuration for other tools, not -Nix derivations to be built. diff --git a/ops/infra/dns/import b/ops/infra/dns/import deleted file mode 100755 index e79e426b5553..000000000000 --- a/ops/infra/dns/import +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh -set -ue - -# Imports a zone file into a Google Cloud DNS zone of the same name -readonly ZONE="${1}" - -gcloud dns record-sets import "${ZONE}" \ - --project composite-watch-759 \ - --zone-file-format \ - --delete-all-existing \ - --zone "${ZONE}" diff --git a/ops/infra/dns/kontemplate-works b/ops/infra/dns/kontemplate-works deleted file mode 100644 index 326a129d2105..000000000000 --- a/ops/infra/dns/kontemplate-works +++ /dev/null @@ -1,15 +0,0 @@ -;; -*- mode: zone; -*- -;; Do not delete these -kontemplate.works. 21600 IN NS ns-cloud-d1.googledomains.com. -kontemplate.works. 21600 IN NS ns-cloud-d2.googledomains.com. -kontemplate.works. 21600 IN NS ns-cloud-d3.googledomains.com. -kontemplate.works. 21600 IN NS ns-cloud-d4.googledomains.com. -kontemplate.works. 21600 IN SOA ns-cloud-d1.googledomains.com. cloud-dns-hostmaster.google.com. 4 21600 3600 259200 300 - -;; Github site setup -kontemplate.works. 60 IN A 185.199.108.153 -kontemplate.works. 60 IN A 185.199.109.153 -kontemplate.works. 60 IN A 185.199.110.153 -kontemplate.works. 60 IN A 185.199.111.153 - -www.kontemplate.works. 60 IN CNAME tazjin.github.io. diff --git a/ops/infra/dns/oslo-pub b/ops/infra/dns/oslo-pub deleted file mode 100644 index 674687484b90..000000000000 --- a/ops/infra/dns/oslo-pub +++ /dev/null @@ -1,8 +0,0 @@ -;; Do not delete these -oslo.pub. 21600 IN NS ns-cloud-c1.googledomains.com. -oslo.pub. 21600 IN NS ns-cloud-c2.googledomains.com. -oslo.pub. 21600 IN NS ns-cloud-c3.googledomains.com. -oslo.pub. 21600 IN NS ns-cloud-c4.googledomains.com. -oslo.pub. 21600 IN SOA ns-cloud-c1.googledomains.com. cloud-dns-hostmaster.google.com. 4 21600 3600 1209600 300 - -oslo.pub. 60 IN A 46.21.106.241 diff --git a/ops/infra/dns/root-tazj-in b/ops/infra/dns/root-tazj-in deleted file mode 100644 index 43db5834a0ca..000000000000 --- a/ops/infra/dns/root-tazj-in +++ /dev/null @@ -1,33 +0,0 @@ -;; -*- mode: zone; -*- -;; Do not delete these -tazj.in. 21600 IN NS ns-cloud-a1.googledomains.com. -tazj.in. 21600 IN NS ns-cloud-a2.googledomains.com. -tazj.in. 21600 IN NS ns-cloud-a3.googledomains.com. -tazj.in. 21600 IN NS ns-cloud-a4.googledomains.com. -tazj.in. 21600 IN SOA ns-cloud-a1.googledomains.com. cloud-dns-hostmaster.google.com. 123 21600 3600 1209600 300 - -;; Email setup -tazj.in. 300 IN MX 1 aspmx.l.google.com. -tazj.in. 300 IN MX 5 alt1.aspmx.l.google.com. -tazj.in. 300 IN MX 5 alt2.aspmx.l.google.com. -tazj.in. 300 IN MX 10 alt3.aspmx.l.google.com. -tazj.in. 300 IN MX 10 alt4.aspmx.l.google.com. -tazj.in. 300 IN TXT "v=spf1 include:_spf.google.com ~all" -google._domainkey.tazj.in. 21600 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9AphX/WJf8zVXQB5Jk0Ry1MI6ARa6vEyAoJtpjpt9Nbm7XU4qVWFRJm+L0VFd5EZ5YDPJTIZ90lJE3/B8vae2ipnoGbJbj8LaVSzzIPMbWmhPhX3fkLJFdkv7xRDMDn730iYXRlfkgv6GsqbS8vZt7mzxx4mpnePTI323yjRVkwRW8nGVbsmB25ZoG1/0985" "kg4mSYxzWeJ2ozCPFhT4sfMtZMXe/4QEkJz/zkod29KZfFJmLgEaf73WLdBX8kdwbhuh2PYXt/PwzUrRzF5ujVCsSaTZwdRVPErcf+yo4NvedelTjjs8rFVfoJiaDD1q2bQ3w0gDEBWPdC2VP7k9zwIDAQAB" - -;; Site verifications -tazj.in. 3600 IN TXT "keybase-site-verification=gC4kzEmnLzY7F669PjN-pw2Cf__xHqcxQ08Gb-W9dhE" -tazj.in. 300 IN TXT "google-site-verification=d3_MI1OwD6q2OT42Vvh0I9w2u3Q5KFBu-PieNUE1Fig" -www.tazj.in. 3600 IN TXT "keybase-site-verification=ER8m_byyqAhzeIy9TyzkAU1H2p2yHtpvImuB_XrRF2U" - -;; Blog "storage engine" -blog.tazj.in. 21600 IN NS ns-cloud-c1.googledomains.com. -blog.tazj.in. 21600 IN NS ns-cloud-c2.googledomains.com. -blog.tazj.in. 21600 IN NS ns-cloud-c3.googledomains.com. -blog.tazj.in. 21600 IN NS ns-cloud-c4.googledomains.com. - -;; Webpage records setup -tazj.in. 300 IN A 34.98.120.189 -www.tazj.in. 300 IN A 34.98.120.189 -git.tazj.in. 300 IN A 34.98.120.189 -files.tazj.in. 300 IN CNAME c.storage.googleapis.com. diff --git a/ops/infra/gcp/.gitignore b/ops/infra/gcp/.gitignore deleted file mode 100644 index 96c7538dda8a..000000000000 --- a/ops/infra/gcp/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -.terraform -*.tfstate -*.tfstate.backup diff --git a/ops/infra/gcp/default.tf b/ops/infra/gcp/default.tf deleted file mode 100644 index d2e31090b560..000000000000 --- a/ops/infra/gcp/default.tf +++ /dev/null @@ -1,116 +0,0 @@ -# Terraform configuration for the GCP project 'tazjins-infrastructure' - -provider "google" { - project = "tazjins-infrastructure" - region = "europe-north1" - version = "~> 2.20" -} - -# Configure a storage bucket in which to keep Terraform state and -# other data, such as Nixery's layers. -resource "google_storage_bucket" "tazjins-data" { - name = "tazjins-data" - location = "EU" -} - -terraform { - backend "gcs" { - bucket = "tazjins-data" - prefix = "terraform" - } -} - -# Configure enabled APIs -resource "google_project_services" "primary" { - project = "tazjins-infrastructure" - services = [ - "bigquery-json.googleapis.com", - "bigquerystorage.googleapis.com", - "cloudapis.googleapis.com", - "cloudbuild.googleapis.com", - "clouddebugger.googleapis.com", - "cloudfunctions.googleapis.com", - "cloudkms.googleapis.com", - "cloudtrace.googleapis.com", - "compute.googleapis.com", - "container.googleapis.com", - "containerregistry.googleapis.com", - "datastore.googleapis.com", - "distance-matrix-backend.googleapis.com", - "dns.googleapis.com", - "gmail.googleapis.com", - "iam.googleapis.com", - "iamcredentials.googleapis.com", - "logging.googleapis.com", - "monitoring.googleapis.com", - "oslogin.googleapis.com", - "pubsub.googleapis.com", - "run.googleapis.com", - "secretmanager.googleapis.com", - "servicemanagement.googleapis.com", - "serviceusage.googleapis.com", - "sourcerepo.googleapis.com", - "sql-component.googleapis.com", - "storage-api.googleapis.com", - "storage-component.googleapis.com", - ] -} - - -# Configure the main Kubernetes cluster in which services are deployed -resource "google_container_cluster" "primary" { - name = "tazjin-cluster" - location = "europe-north1" - - remove_default_node_pool = true - initial_node_count = 1 -} - -resource "google_container_node_pool" "primary_nodes" { - name = "primary-nodes" - location = "europe-north1" - cluster = google_container_cluster.primary.name - node_count = 1 - - node_config { - preemptible = true - machine_type = "n1-standard-2" - - oauth_scopes = [ - "storage-rw", - "logging-write", - "monitoring", - "https://www.googleapis.com/auth/source.read_only", - ] - } -} - -# Configure a service account for which GCS URL signing keys can be created. -resource "google_service_account" "nixery" { - account_id = "nixery" - display_name = "Nixery service account" -} - -# Configure Cloud KMS for secret encryption -resource "google_kms_key_ring" "tazjins_keys" { - name = "tazjins-keys" - location = "europe-north1" - - lifecycle { - prevent_destroy = true - } -} - -resource "google_kms_crypto_key" "kontemplate_key" { - name = "kontemplate-key" - key_ring = google_kms_key_ring.tazjins_keys.id - - lifecycle { - prevent_destroy = true - } -} - -# Configure the git repository that contains everything. -resource "google_sourcerepo_repository" "depot" { - name = "depot" -} diff --git a/ops/infra/kubernetes/cgit/config.yaml b/ops/infra/kubernetes/cgit/config.yaml deleted file mode 100644 index 73392adaad81..000000000000 --- a/ops/infra/kubernetes/cgit/config.yaml +++ /dev/null @@ -1,80 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: gcsr-secrets -type: Opaque -data: - username: "Z2l0LXRhemppbi5nbWFpbC5jb20=" - # This credential is a GCSR 'gitcookie' token. - password: '{{ passLookup "gcsr-tazjin-password" | b64enc }}' - # This credential is an OAuth token for builds.sr.ht - sourcehut: '{{ passLookup "sr.ht-token" | b64enc }}' ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cgit - labels: - app: cgit -spec: - replicas: 1 - selector: - matchLabels: - app: cgit - template: - metadata: - labels: - app: cgit - spec: - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - containers: - - name: cgit - image: nixery.local/shell/web.cgit-taz:{{ gitHEAD }} - command: [ "cgit-launch" ] - env: - - name: HOME - value: /git - volumeMounts: - - name: git-volume - mountPath: /git - - name: sync-gcsr - image: nixery.local/shell/ops.sync-gcsr:{{ gitHEAD }} - command: [ "sync-gcsr" ] - env: - - name: SYNC_USER - valueFrom: - secretKeyRef: - name: gcsr-secrets - key: username - - name: SYNC_PASS - valueFrom: - secretKeyRef: - name: gcsr-secrets - key: password - - name: SRHT_TOKEN - valueFrom: - secretKeyRef: - name: gcsr-secrets - key: sourcehut - volumeMounts: - - name: git-volume - mountPath: /git - volumes: - - name: git-volume - emptyDir: {} ---- -apiVersion: v1 -kind: Service -metadata: - name: cgit -spec: - selector: - app: cgit - ports: - - protocol: TCP - port: 80 - targetPort: 8080 diff --git a/ops/infra/kubernetes/gemma/config.lisp b/ops/infra/kubernetes/gemma/config.lisp deleted file mode 100644 index 517a658cf150..000000000000 --- a/ops/infra/kubernetes/gemma/config.lisp +++ /dev/null @@ -1,19 +0,0 @@ -(config :port 4242 - :data-dir "/var/lib/gemma/") - -(deftask bathroom/wipe-mirror 7) -(deftask bathroom/wipe-counter 7) - -;; Bedroom tasks -(deftask bedroom/change-sheets 7) -(deftask bedroom/vacuum 10) - -;; Kitchen tasks -(deftask kitchen/normal-trash 3) -(deftask kitchen/green-trash 5) -(deftask kitchen/blue-trash 5) -(deftask kitchen/wipe-counters 3) -(deftask kitchen/vacuum 5 "Kitchen has more crumbs and such!") - -;; Entire place -(deftask clean-windows 60) diff --git a/ops/infra/kubernetes/https-cert/cert.yaml b/ops/infra/kubernetes/https-cert/cert.yaml deleted file mode 100644 index c7a85275ae67..000000000000 --- a/ops/infra/kubernetes/https-cert/cert.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: networking.gke.io/v1beta1 -kind: ManagedCertificate -metadata: - name: {{ .domain | replace "." "-" }} -spec: - domains: - - {{ .domain }} diff --git a/ops/infra/kubernetes/https-lb/ingress.yaml b/ops/infra/kubernetes/https-lb/ingress.yaml deleted file mode 100644 index 930affec7a15..000000000000 --- a/ops/infra/kubernetes/https-lb/ingress.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# This resource configures the HTTPS load balancer that is used as the -# entrypoint to all HTTPS services running in the cluster. ---- -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: https-ingress - annotations: - networking.gke.io/managed-certificates: tazj-in, git-tazj-in, www-tazj-in, oslo-pub -spec: - rules: - # Route website to, well, the website ... - - host: tazj.in - http: - paths: - - path: /* - backend: - serviceName: website - servicePort: 8080 - # Same for www.* (the redirect is handled by the website nginx) - - host: www.tazj.in - http: - paths: - - path: /* - backend: - serviceName: website - servicePort: 8080 - # Route git.tazj.in to the cgit pods - - host: git.tazj.in - http: - paths: - - path: /* - backend: - serviceName: nginx - servicePort: 6756 - # Route oslo.pub to the nginx instance which serves redirects - - host: oslo.pub - http: - paths: - - path: / - backend: - serviceName: nginx - servicePort: 6756 diff --git a/ops/infra/kubernetes/nginx/nginx.conf b/ops/infra/kubernetes/nginx/nginx.conf deleted file mode 100644 index 918aa6067806..000000000000 --- a/ops/infra/kubernetes/nginx/nginx.conf +++ /dev/null @@ -1,59 +0,0 @@ -daemon off; -worker_processes 1; -error_log stderr; -pid /run/nginx.pid; - -events { - worker_connections 1024; -} - -http { - log_format json_combined escape=json - '{' - '"time_local":"$time_local",' - '"remote_addr":"$remote_addr",' - '"remote_user":"$remote_user",' - '"request":"$request",' - '"status": "$status",' - '"body_bytes_sent":"$body_bytes_sent",' - '"request_time":"$request_time",' - '"http_referrer":"$http_referer",' - '"http_user_agent":"$http_user_agent"' - '}'; - - access_log /dev/stdout json_combined; - - sendfile on; - keepalive_timeout 65; - - server { - listen 80 default_server; - location / { - return 200 "ok"; - } - } - - server { - listen 80; - server_name oslo.pub; - - location / { - return 302 https://www.google.com/maps/d/viewer?mid=1pJIYY9cuEdt9DuMTbb4etBVq7hs; - } - } - - server { - listen 80; - server_name git.tazj.in; - - # Static assets must always hit the root. - location ~ ^/(favicon\.ico|cgit\.(css|png))$ { - proxy_pass http://cgit; - } - - # Everything else hits the depot directly. - location / { - proxy_pass http://cgit/cgit.cgi/depot/; - } - } -} diff --git a/ops/infra/kubernetes/nginx/nginx.yaml b/ops/infra/kubernetes/nginx/nginx.yaml deleted file mode 100644 index 61678a85bca0..000000000000 --- a/ops/infra/kubernetes/nginx/nginx.yaml +++ /dev/null @@ -1,60 +0,0 @@ -# Deploy an nginx instance which serves ... redirects. ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: nginx-conf -data: - nginx.conf: {{ insertFile "nginx.conf" | toJson }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx - labels: - app: nginx -spec: - replicas: 2 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - config: {{ insertFile "nginx.conf" | sha1sum }} - spec: - containers: - - name: nginx - image: nixery.local/shell/third_party.nginx:{{ .version }} - command: ["/bin/bash", "-c"] - args: - - | - cd /run - echo 'nogroup:x:30000:nobody' >> /etc/group - echo 'nobody:x:30000:30000:nobody:/tmp:/bin/bash' >> /etc/passwd - exec nginx -c /etc/nginx/nginx.conf - volumeMounts: - - name: nginx-conf - mountPath: /etc/nginx - - name: nginx-rundir - mountPath: /run - volumes: - - name: nginx-conf - configMap: - name: nginx-conf - - name: nginx-rundir - emptyDir: {} ---- -apiVersion: v1 -kind: Service -metadata: - name: nginx -spec: - type: NodePort - selector: - app: nginx - ports: - - protocol: TCP - port: 6756 - targetPort: 80 diff --git a/ops/infra/kubernetes/nixery/config.yaml b/ops/infra/kubernetes/nixery/config.yaml deleted file mode 100644 index 0775e79b5843..000000000000 --- a/ops/infra/kubernetes/nixery/config.yaml +++ /dev/null @@ -1,67 +0,0 @@ -# Deploys an instance of Nixery into the cluster. -# -# The service via which Nixery is exposed has a private DNS entry -# pointing to it, which makes it possible to resolve `nixery.local` -# in-cluster without things getting nasty. ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nixery - namespace: kube-public - labels: - app: nixery -spec: - replicas: 1 - selector: - matchLabels: - app: nixery - template: - metadata: - labels: - app: nixery - spec: - containers: - - name: nixery - image: eu.gcr.io/tazjins-infrastructure/nixery:{{ .version }} - volumeMounts: - - name: nixery-secrets - mountPath: /var/nixery - env: - - name: BUCKET - value: {{ .bucket}} - - name: PORT - value: "{{ .port }}" - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/nixery/gcs-key.json - - name: GCS_SIGNING_KEY - value: /var/nixery/gcs-key.pem - - name: GCS_SIGNING_ACCOUNT - value: {{ .account }} - - name: GIT_SSH_COMMAND - value: 'ssh -F /var/nixery/ssh_config' - - name: NIXERY_PKGS_REPO - value: {{ .repo }} - - name: NIX_POPULARITY_URL - value: 'https://storage.googleapis.com/nixery-layers/popularity/{{ .popularity }}' - volumes: - - name: nixery-secrets - secret: - secretName: nixery-secrets - defaultMode: 256 ---- -apiVersion: v1 -kind: Service -metadata: - name: nixery - namespace: kube-public - annotations: - cloud.google.com/load-balancer-type: "Internal" -spec: - selector: - app: nixery - type: LoadBalancer - ports: - - protocol: TCP - port: 80 - targetPort: 8080 diff --git a/ops/infra/kubernetes/nixery/id_nixery.pub b/ops/infra/kubernetes/nixery/id_nixery.pub deleted file mode 100644 index dc3fd617d0a1..000000000000 --- a/ops/infra/kubernetes/nixery/id_nixery.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzBM6ydst77jDHNcTFWKD9Fw4SReqyNEEp2MtQBk2wt94U4yLp8MQIuNeOEn1GaDEX4RGCxqai/2UVF1w9ZNdU+v2fXcKWfkKuGQH2XcNfXor2cVNObd40H78++iZiv3nmM/NaEdkTbTBbi925cRy9u5FgItDgsJlyKNRglCb0fr6KlgpvWjL20dp/eeZ8a/gLniHK8PnEsgERQSvJnsyFpxxVhxtoUiyLWpXDl4npf/rQr0eRDf4Q5sN/nbTwksapPHfze8dKcaoA7A2NqT3bJ6DPGrwVCzGRtGw/SXJwFwmmtAl9O6BklpeReyiknSxc+KOtrjDW6O0r6yvymD5Z nixery diff --git a/ops/infra/kubernetes/nixery/known_hosts b/ops/infra/kubernetes/nixery/known_hosts deleted file mode 100644 index 7faf21f69bf8..000000000000 --- a/ops/infra/kubernetes/nixery/known_hosts +++ /dev/null @@ -1,3 +0,0 @@ -github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== -140.82.118.4 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== -[source.developers.google.com]:2022,[172.253.120.82]:2022 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5Iy4/cq/gt/fPqe3uyMy4jwv1Alc94yVPxmnwNhBzJqEV5gRPiRk5u4/JJMbbu9QUVAguBABxL7sBZa5PH/xY= diff --git a/ops/infra/kubernetes/nixery/secrets.yaml b/ops/infra/kubernetes/nixery/secrets.yaml deleted file mode 100644 index d9a674d2c9fc..000000000000 --- a/ops/infra/kubernetes/nixery/secrets.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# The secrets below are encrypted using keys stored in Cloud KMS and -# templated in by kontemplate when deploying. -# -# Not all of the values are actually secret (see the matching) ---- -apiVersion: v1 -kind: Secret -metadata: - name: nixery-secrets - namespace: kube-public -type: Opaque -data: - gcs-key.json: {{ passLookup "nixery-gcs-json" | b64enc }} - gcs-key.pem: {{ passLookup "nixery-gcs-pem" | b64enc }} - id_nixery: {{ printf "%s\n" (passLookup "nixery-ssh-private") | b64enc }} - id_nixery.pub: {{ insertFile "id_nixery.pub" | b64enc }} - known_hosts: {{ insertFile "known_hosts" | b64enc }} - ssh_config: {{ insertFile "ssh_config" | b64enc }} diff --git a/ops/infra/kubernetes/nixery/ssh_config b/ops/infra/kubernetes/nixery/ssh_config deleted file mode 100644 index 78afbb0b039d..000000000000 --- a/ops/infra/kubernetes/nixery/ssh_config +++ /dev/null @@ -1,4 +0,0 @@ -Match host * - User tazjin@google.com - IdentityFile /var/nixery/id_nixery - UserKnownHostsFile /var/nixery/known_hosts diff --git a/ops/infra/kubernetes/primary-cluster.yaml b/ops/infra/kubernetes/primary-cluster.yaml deleted file mode 100644 index 3d601b80cd01..000000000000 --- a/ops/infra/kubernetes/primary-cluster.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# Kontemplate configuration for the primary GKE cluster in the project -# 'tazjins-infrastructure'. ---- -context: gke_tazjins-infrastructure_europe-north1_tazjin-cluster -include: - # SSL certificates (provisioned by Google) - - name: tazj-in-cert - path: https-cert - values: - domain: tazj.in - - name: www-tazj-in-cert - path: https-cert - values: - domain: www.tazj.in - - name: git-tazj-in-cert - path: https-cert - values: - domain: git.tazj.in - - name: oslo-pub-cert - path: https-cert - values: - domain: oslo.pub - - # Services - - name: nixery - values: - port: 8080 - version: xkm36vrbcnzxdccybzdrx4qzfcfqfrhg - bucket: tazjins-data - account: nixery@tazjins-infrastructure.iam.gserviceaccount.com - repo: ssh://tazjin@gmail.com@source.developers.google.com:2022/p/tazjins-infrastructure/r/depot - popularity: 'popularity-nixos-unstable-3140fa89c51233397f496f49014f6b23216667c2.json' - - name: website - - name: cgit - - name: https-lb - - name: nginx - values: - version: a349d5e9145ae9a6c89f62ec631f01fb180de546 diff --git a/ops/infra/kubernetes/website/config.yaml b/ops/infra/kubernetes/website/config.yaml deleted file mode 100644 index 02de735b05d0..000000000000 --- a/ops/infra/kubernetes/website/config.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: website - labels: - app: website -spec: - replicas: 3 - selector: - matchLabels: - app: website - template: - metadata: - labels: - app: website - spec: - containers: - - name: website - image: nixery.local/shell/web.homepage:{{ gitHEAD }} - env: - - name: CONTAINER_SETUP - value: "true" - command: [ "homepage" ] ---- -apiVersion: v1 -kind: Service -metadata: - name: website -spec: - type: NodePort - selector: - app: website - ports: - - protocol: TCP - port: 8080 - targetPort: 8080 diff --git a/ops/kms_pass.nix b/ops/kms_pass.nix deleted file mode 100644 index 2399559b4da8..000000000000 --- a/ops/kms_pass.nix +++ /dev/null @@ -1,61 +0,0 @@ -# This tool mimics a subset of the interface of 'pass', but uses -# Google Cloud KMS for encryption. -# -# It is intended to be compatible with how 'kontemplate' invokes -# 'pass.' -# -# Only the 'show' and 'insert' commands are supported. - -{ depot, kms, ... }: - -let inherit (depot.third_party) google-cloud-sdk tree writeShellScriptBin; -in (writeShellScriptBin "pass" '' - set -eo pipefail - - CMD="$1" - readonly SECRET=$2 - readonly SECRETS_DIR=${./secrets} - readonly SECRET_PATH="$SECRETS_DIR/$SECRET" - - function secret_check { - if [[ -z $SECRET ]]; then - echo 'Secret must be specified' - exit 1 - fi - } - - if [[ -z $CMD ]]; then - CMD="ls" - fi - - case "$CMD" in - ls) - ${tree}/bin/tree $SECRETS_DIR - ;; - show) - secret_check - ${google-cloud-sdk}/bin/gcloud kms decrypt \ - --project ${kms.project} \ - --location ${kms.region} \ - --keyring ${kms.keyring} \ - --key ${kms.key} \ - --ciphertext-file $SECRET_PATH \ - --plaintext-file - - ;; - insert) - secret_check - ${google-cloud-sdk}/bin/gcloud kms encrypt \ - --project ${kms.project} \ - --location ${kms.region} \ - --keyring ${kms.keyring} \ - --key ${kms.key} \ - --ciphertext-file $SECRET_PATH \ - --plaintext-file - - echo "Inserted secret '$SECRET'" - ;; - *) - echo "Usage: pass show/insert <secret>" - exit 1 - ;; - esac -'') // { meta.enableCI = true; } diff --git a/ops/secrets/.skip-subtree b/ops/secrets/.skip-subtree deleted file mode 100644 index 25dba2a344f4..000000000000 --- a/ops/secrets/.skip-subtree +++ /dev/null @@ -1 +0,0 @@ -No Nix derivations under //ops/secrets diff --git a/ops/secrets/gcsr-tazjin-password b/ops/secrets/gcsr-tazjin-password deleted file mode 100644 index 5893de131560..000000000000 --- a/ops/secrets/gcsr-tazjin-password +++ /dev/null Binary files differdiff --git a/ops/secrets/gmaps-api-key b/ops/secrets/gmaps-api-key deleted file mode 100644 index 6a4522646081..000000000000 --- a/ops/secrets/gmaps-api-key +++ /dev/null Binary files differdiff --git a/ops/secrets/nixery-gcs-json b/ops/secrets/nixery-gcs-json deleted file mode 100644 index b8b544511685..000000000000 --- a/ops/secrets/nixery-gcs-json +++ /dev/null Binary files differdiff --git a/ops/secrets/nixery-gcs-pem b/ops/secrets/nixery-gcs-pem deleted file mode 100644 index 798a1e5a66f8..000000000000 --- a/ops/secrets/nixery-gcs-pem +++ /dev/null Binary files differdiff --git a/ops/secrets/nixery-ssh-private b/ops/secrets/nixery-ssh-private deleted file mode 100644 index 5c4ff2023350..000000000000 --- a/ops/secrets/nixery-ssh-private +++ /dev/null Binary files differdiff --git a/ops/secrets/sr.ht-token b/ops/secrets/sr.ht-token deleted file mode 100644 index 53eb0d16b0e1..000000000000 --- a/ops/secrets/sr.ht-token +++ /dev/null Binary files differ |